ninjamiefandomcom-20200214-history
VLAN
L3 subinterfaces will need an IP address, but L2 subinterfaces do not require them. You do not need an IP on the main interface for the subinterfaces to work. ---- *Network -> Interfaces -> Ethernet *Network -> Interfaces -> VLAN *Network -> VLANs *Network -> Virtual Routers The firewall supports VLANs that conform with the IEEE 802.1Q standard. Each Layer 2 interface that is defined on the firewall must be associated with a VLAN. The same VLAN can be assigned to multiple Layer 2 interfaces, but each interface can belong to only 1 VLAN. *Optionally, a VLAN can specify a VLAN interface that can route traffic to a Layer 3 destination outside the VLAN. When a physical interface needs to be configured to handle VLANs, sub-interfaces need to be created (one per VLAN). The sub-interface will be configured with the tag, and will show as "tagged" when looking at the list of interfaces, opposed to the physical interface itself. *The IP address on the physical interface is used for untagged VLAN traffic. *Each subinterface also has its own IP address and VLAN tag, and can be placed in another security zone different from its "parent" physical interface. The PAN firewall has no concept of "Native VLAN". The logical interface assigned to the physical interface would be the interface to accept untagged VLANs. *Example: **Eth1/1 = untagged traffic **Eth1/1.100 = tagged with VLID = 100 **Eth1/.1.200 = tagged with VLID = 200 *On the Cisco switch configure VLAN 200 to be the Native VLAN, then the packets exiting the switch would have no tags. These packets would enter the PAN device on Eth1/1 because it is expecting untagged traffic. VLAN interface vs. Layer 3 sub interface Layer 3 subinterface = for a router-on-a-stick/ trunking configurations. *you could use one switch with 3 different VLANs and trunk them all back to one interface using an ethernet cable. The alternative would be to buy three switches and use three different interfaces on your firewall. EX: Layer 3 interface with multiple 802.1q tagged subinterfaces: *sessions on the firewall show up with the subinterfaces as ingress and egress (via >show session info or details in GUI monitor) *You can check the traffic flow details on the sessions to validate the ingress and egress interfaces are correct. Layer 2 interfaces and VLAN interfaces: *Session on the firewall show up with the Layer 2 interfaces as the ingress and egress interface. VLAN interfaces do not show up as ingress or egress interface. *To verify traffic interfaces being used, you must use the debug command to debug traffic flow. 'Checklist' To enable Layer 2 interfaces to connect to other networks. *at least 2 Layer 2 interface *at least 1 Layer 2 Security Zones (for intrazone traffic) *a VLAN *a VLAN Interface *a Virtual Router *at least one Layer 3 interface Attach: *the Layer 2 interfaces with the VLAN interface to the VLAN. *the VLAN interface and the Layer 3 interface to the Virtual Router. 'Key Points to Remember' *Layer 2 interfaces must be added to a VLAN to pass traffic. *No VLANs exist by default. At least one must be created if any Layer 2 interfaces are used. *A Layer 2 Zone is only required for Layer 2 interface if intra-VLAN traffic is needed. *Layer 2 zones are only used for intra-VLAN communication *Layer 3 zones are used for communication between networks. *A default VLAN'' interface'' exists, called "vlan" *A VLAN interface must be attached to a VLAN to allow connectivity to other networks. *No Virutal Router exists by default. One must be created to connect a Layer 2 VLAN to other networks. *the default implicit action is Allow when source and destination are in the same zone. *the default implicit action is Deny when source and destination are in different zones. 'CONFIGURATION' 'CREATE TAGGED SUB-INTERFACES:' Network -> Interfaces -> Ethernet -> add subinterfaces #Choose Layer 3 or Layer 2. #add tag # 'CREATE THE VLAN INTERFACE: ' to configure connectivity on the firewall between the VLAN and other networks. ' *VLAN interfaces operate at Layer 3. A VLAN interface will have different zones than the physical Layer 2 interfaces. *The default VLAN interface named "vlan", cannot be used until it has been assigned to a Virtual Router, assigned to a VLAN, and placed in a Security Zone. Network -> Interfaces -> VLAN #VLAN interface name #Add an IP address to serve as a gateway address for other devices on the VLAN #Assigned the interface to a Virtual Router, VLAN, and Zone. 'DEFINE THE VLAN: Network -> VLAN #Name the VLAN. This appears in the list of VLANs when configuring interfaces. #Select the VLAN interface to allow traffic to be routed outside the VLAN. ##(network -> interfaces -> vlan) #Select the Eth interface #(optional)' L3 Forwarding enabled' = Layer 3 routing over the selected interface. #(optional)'' ''Static MAC Configuration = Must specify the interface through which a MAC address is reachable. This will override any learned interface-to-MAC mappings. 'VIRTUAL ROUTER:' Network -> Virtual Routers Add a Virtual Router and attach the VLAN interface to it, to allow the VLAN to interoperate with other networks. #Name it #Select any already defined Layer 3 or VLAN interfaces to add them to the Virtual Router. 'SECURITY ZONE:' Traffic flowing through a Layer 2 interface can have a different security zone apply. Either the traffic stays on the same VLAN where L2 zone applies or traffic leaves the VLAN and L2 zone applies. Can have multiple layer 2 security zone within the same VLAN. *Layer 2 Security zone for all intra-zone VLAN traffic. 'VLAN Routing' PAN firewalls enable connectivity between layer 2 interfaces and layer 3 interfaces with the use of a VLAN interface and'' Virutal Router''. *create VLAN interface. Assign it to the same VLAN as the layer 2 interfaces that require connectivity. *VLAN interfaces are assigned to a different zone that the Layer 2 interfaces, as a VLAN interface can only use Layer 3 security zones. 'Access Port (Untagged Port):' Create Layer 3 VLAN routing or Able to configure an interface in Layer 2 mode without VLAN tagging (access mode). *Configure as Layer 2 interface type and specify a VLAN on the ethernet interface itself. *Then assign the interface to a zone. *Do not configure a unit for the interface which would require tagging (trunk mode). 'Tech Doc:' How to create tagged sub-interfaces: *https://live.paloaltonetworks.com/docs/DOC-1805